Despite sparking significant concerns at the start of the week, a widespread cyberattack exploiting JavaScript code and injecting malicious software has yielded a relatively small amount of cryptocurrency. Initial warnings circulated, but data analysis provided by Arkham Intelligence indicates the perpetrators have only managed to acquire approximately $1,043 in digital currency.
Yesterday, Wiz, a cybersecurity firm, released a detailed analysis of this “extensive” supply chain compromise. Their report outlines how attackers utilized social manipulation techniques to seize control of a GitHub account owned by Qix (Josh Junon), a developer known for creating widely used JavaScript code packages.
Following the account takeover, the cybercriminals released updated versions of some of these packages. These updates contained harmful code designed to activate APIs and cryptocurrency wallet interfaces. The malicious code also actively searched for cryptocurrency transactions, attempting to alter recipient addresses and other crucial transaction information.
Worryingly, Wiz researchers estimate that roughly 10% of cloud environments contain some trace of the malicious code. Furthermore, they found that 99% of all cloud environments utilize at least one of the packages targeted in the attack, although it’s important to note that not all of these environments necessarily downloaded the compromised updates.
Despite the potentially broad impact, Arkham’s data reveals that the attacker’s digital wallets have only accumulated a relatively modest $1,043 so far.
This sum has increased gradually over the past few days, derived primarily from transfers of ERC-20 tokens. Individual transaction values have varied significantly, ranging from as low as $1.29 to as high as $436.
The scope of the attack has also expanded beyond Qix’s npm packages. A recent update from JFrog Security indicates that the DuckDB SQL database management system has also been affected.
JFrog’s statement described the incident as potentially “the largest npm compromise in history,” underscoring the extensive reach and potential severity of the attack.
Speaking to *Decrypt*, Wiz Research emphasized that software supply chain attacks are becoming increasingly prevalent.
“Attackers have come to understand that compromising a single package or dependency offers access to thousands of environments simultaneously,” they explained. “This realization has fueled a consistent increase in such incidents, ranging from typosquatting to the malicious takeover of packages.”
The last few months have indeed seen a rise in comparable events, including the insertion of malicious code into Ethereum’s ETHcode extension in July, which was downloaded over 6,000 times.
“The npm ecosystem is a particularly attractive target due to its widespread adoption and the reliance of developers on transitive dependencies,” noted Wiz Research, whose team includes Hila Ramati, Gal Benmocha, and Danielle Aminov, authors of the Wiz blog post regarding the Qix hack.
Wiz’s analysis of the latest incident stresses the importance of securing the development pipeline. Organizations are strongly encouraged to maintain complete visibility across their entire software supply chain and proactively monitor for any unusual behavior from software packages.
This proactive approach appears to have been adopted by many organizations and entities in response to the Qix exploit, as it was detected within two hours of publication.
This swift detection is considered a primary reason for the limited financial impact of the attack. However, Wiz Research suggests that other factors also contributed to the relatively low losses.
“The attack’s payload was specifically designed to target users meeting certain criteria, which likely reduced its overall reach,” they explained.
Wiz’s researchers also noted that developers are becoming increasingly aware of these types of threats and often have security measures in place to identify and prevent suspicious activity before it can cause significant harm.
“While delayed reports of impact are always possible, based on the current information, the rapid detection and subsequent takedown efforts appear to have effectively limited the attacker’s success,” they concluded.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.